EDR appears to detect USB keystick insertion as a Network event
search cancel

EDR appears to detect USB keystick insertion as a Network event


Article ID: 230056


Updated On:


Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response


When a Symantec Endpoint Protection (SEP) client detects insertion of a USB stick, Endpoint Detection and Response (EDR) appears to report USB keystick insertion as a Network detection of Malicious Traffic.


EDR 4.6.x


When SEP sends an event of this type, EDR mis-maps this event within its database.


BROADCOM commits to resolve this issue in a future build.


To install patch atp-patch2-4.6.7-1

  1. At the admin CLI of EDR, type:
    show -v

  2. If version is less than 4.6.7, then type:
    update download

  3. If no errors occur during update download, type:
    update install

  4. Updating the software version may require up to two reboots of EDR appliance before continuing.
    To confirm the installed patches, type:
    patch list_installed

  5. If "atp-patch2-4.6.7-1" appears in the output, the EDR appliance is already patched for this issue. No further action is needed for this particular EDR appliance.
    To check for the patch in the download repository, type:
    patch list

  6. If "atp-patch2-4.6.7-1" does not appear in the download repository, please contact support for further assistance and reference KB #. Also copy and paste the output from this command into the case comments.
    To download the patch, type:
    patch download atp-patch2-4.6.7-1

  7. If the last three lines from patch download are not as follows, create a support case and paste the output from patch download into the case comments.
      atp-patch2-4.6.7-1.x86_64.rpm                              | 1.2 MB   00:01 ETA 
      Download succeeded
      Function: main returned success

  8. To install the patch, type:
    patch install atp-patch2-4.6.7-1

  9. When the patch installation reaches the line "Executing 4.6.7-HF2 script", it has begun running a script to purge zombie entries from the Endpoint Entities database. This script make take some time to run. During this time, if you are connected via ssh, please take steps to keep the ssh connection alive, such as pressing the <ENTER> key once every 2-5 minutes. This interval finishes when the script outputs "Executing 4.6.7-HF2 script done."

  10. If patch install does not include the following two lines, create a new support case and copy and paste the output from the patch install command into the comments.
       Patch installation Success!
       Function: do_install returned success




Additional Information

Does installing atp-patch2-4.6.7-1 require installation of atp-patch-4.6.7-1?